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1 EP 0 956 

Description 

Field of the Invention 

[0001] The present invention relates to smart card se- s 
curity and more particularly to a system and method of 
biometric authentication of a smart card user. 

Background 

10 

[0002] Authentication is the process by which an en- 
tity, such as a financial institution or bank or other type 
of institution, identifies and verifies its customers or us- 
ers to itself and itself to its customers or users. Authen- 
tication includes the use of physical objects, such as 15 
cards and/or keys, shared secrets, such as personal 
identification numbers (PIN's) and/or passwords, and 
biometric technologies, such as voice prints, photos, 
signatures and/or fingerprints. Biometric tasks include, 
for example, an identification task and a verification 20 
task. The verification task determines whether or not the 
individual claiming an identity is the individual whose 
identity is being claimed. The identification task deter- 
mines whether the biometric signal, such as a finger- 
print, matches that of someone already enrolled in the 25 
system. 

[0003] Typically, biometric systems have a common 
methodology, regardless of their modality, such as fin- 
gerprint, face, voice, or the like. A person enrolls by do- 
nating some number of samples of the biometric. From 30 
these samples, the biometric system creates a model of 
the particular individual's patterns, which is referred to 
as a template. When the person attempts to access the 
system, the application collects new data. In a verifica- 
tion application, the individual claims an identity, and the 35 
application retrieves the individual's model from a data- 
base and compares the new signal to the retrieved mod- 
el. The result of this comparison is a match score, which 
indicates how well the new signal matches the template. 
The application then compares the match score ob- <o 
tained with a pre-defined threshold and decides whether 
to allow or deny access to the individual or, for example, 
to ask the individual for more data. 
[0004] Various authentication parameters are used by 
security systems to verify a valid cardholder and to grant 45 
the cardholder access to a secured resource. Informa- 
tion parameters, such as PIN's, can be readily read and 
processed by a card reader according to a system ver- 
ification algorithm. However, information can be com- 
promised, so that many authentication systems also re- so 
quire person-unique biometric parameters, such as fin- 
gerprints, or retinal images. In such authentication sys- 
tems, cardholder bio-specimens are stored in digital for- 
mat in the system computer. During authentication the 
system obtains the information parameters, for exam- 55 
pie, from the card, and the biometric parameters from 
the person and matches both to the system-stored val- 
ues. For a fingerprint, for example, there are fourteen 
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points and interpoint distances that the biometric reader 
compares and, depending on the match score, grants 
or denies access. 

[0005] The required match score is a function of a pre- 
selected security level and is set by the application de- 
signer. However, the image acquisition tolerances, as 
well as changes in the person's biometric parameter, 
such as a finger cut on the referenced fingerprint, cause 
false acceptances, such as accepting an impostor 
(False Accept or FA), and false rejections, such as re- 
jecting a valid user (False Reject or FR). Manufacturers 
of biometric readers or application developers provide 
performance histograms, which are distributions of the 
empirical number of valid acceptances and valid rejec- 
tions provided by the reader. To the extent the distribu- 
tions overlap, there are regions of false rejections of val- 
id users or FR and false acceptance of impostors or FA. 
In setting the system parameters, application designers 
attempt to set a threshold authentication match score 
which balances these tolerances against efficiency for 
a given application. 

[0006] The selected threshold match score is based 
on the desired probability of occurrence or non-occur- 
rence of a FA and/or FR, and the performance histo- 
grams quantify the probability of occurrence of FA and 
FR. These probabilities are inverse, in that by increasing 
the threshold score to reduce the Probability of FA or P 
(FA), the Probability of FR or P(FR) is increased. Con- 
versely, decreasing the threshold to reduce the Proba- 
bility of FR or P(FR) increases the Probability of FA or 
P(FA). 

[0007] In a given application the selected threshold is 
coded into the reader software, and system perform- 
ance is observed. If actual system efficiency is unac- 
ceptable due to a False Reject Rate (FRR) that is too 
high, the threshold score is reduced, and if unaccepta- 
ble due to a False Accept Rate (FAR) that is too high, 
the threshold is increased. Each time the threshold 
score changes, it must be recoded into the reader sys- 
tem software. Similarly, with each new reader model or 
new release, the threshold score must be changed in 
accordance with the new model histograms and possi- 
bly changed again following actual performance evalu- 
ation. Each re-coding of the threshold match score gen- 
erally requires a new system software release, together 
with the time and labor required to install the new soft- 
ware. 

[0008] EP-A-0 61 2 035 and GB-A-2 237 672 disclose 
a method of the kind referred to in the preamble of claim 
1 of authenticating a smart card user at a reader device. 
EP-A-0 612 035 also discloses a system of authenticat- 
ing a user at a reader device, which system is of the kind 
referred to in the preamble of claim 27. 

SUMMARY OF THE INVENTION 

[0009] It is a feature and advantage of the present in- 
vention to provide a system and method of biometric 
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smart card user authentication which automatically ad- 
justs the probability of occurrence or non-occurrence of 
false acceptance of an impostor and false rejection of a 
valid user without the necessity of reprogramming the 
reader system software. 

[0010] It is a further feature and advantage of the 
present invention of provide a system and method of bi- 
ometric smart card user authentication in which the per- 
formance of the biometric technology is independent of 
where the system positions the threshold for false ac- 
ceptance and false rejection. 

[0011] It is another feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication which makes the 
card application more secure, thereby reducing the risk 
of fraudulent or unauthorized use and allowing for high- 
er-value applications 

[0012] It is an additional feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication which simplifies 
application design requirements by putting the user's bi- 
ometric template on the card, thereby eliminating or 
greatly reducing network traffic. 
[0013] It is still another feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication which enhances 
security and privacy by eliminating the necessity of 
transmitting the user's biometric template around to dif- 
ferent locations where it is needed. 
[0014] It is a still further feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication which allows ap- 
plication designers to set operating thresholds as tightly 
or as loosely as is appropriate for the particular risk in- 
volved. 

[0015] It is also a feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication with a flexible ar- 
chitecture format for storing biometrics on the smart 
card that is independent of application or biometric 
methodology or vendor. 

[0016] It is still an additional feature and advantage of 
the present invention to provide a system and method 
of biometric smart card user authentication which sup- 
ports different methods, vendors, and releases, and al- 
lows for flexibility of application deployment. 
[0017] It is another feature and advantage of the 
present invention to provide a system and method of bi- 
ometric smart card user authentication in which the user 
is automatically authenticated by an application on the 
smart card. 

[001 8] It is an additional feature and advantage of the 
present invention to provide a method and system of bi- 
ometric smart card user authentication in which the cus- 
tomer's use of the smart card in a transaction ties the 
customer undeniably to the transaction and make the 
transaction non-reputiatable. 

[0019] To achieve the stated and other features, ad- 



vantages and objects of the present invention, the sys- 
tem and method for authenticating a smart card user at 
a reader device of an embodiment of the present inven- 
tion includes storing information fields for the user on 
5 the smart card relating to biometric information for the 
user, also referred to as a biometric template. The bio- 
metric template includes at least one model of biometric 
patterns for the user, such as the user's voice print, pho- 
tograph, signature, fingerprint, hand geometry, retinal 

10 image or iris scan. The information fields also include a 
table of pre-defined probability of occurrence values for 
user authentication, as well as personal data for the us- 
er, identification of a biometric system, and a hashed 
data field. The information fields are stored in an appli- 
es cation on a microprocessor of the smart card. 

[0020] In an embodiment of the present invention, 
storing the information fields relating to the table of pre- 
defined probability of occurrence values involves auto- 
matically assigning a probability of occurrence value to 

20 each of a plurality of pre-defined threshold match 
scores, which are automatically identified for each of a 
plurality of value ranges of biometric reader device 
match scores. Identifying the threshold match scores in- 
volves automatically tabulating a performance histo- 

25 gram distribution of biometric reader device match 
scores for false acceptance of an impostor and false re- 
jection of a valid user into a plurality of value ranges. 
Tabulating the performance histogram distribution in- 
volves automatically quantifying the performance histo- 

30 gram into discrete levels of biometric reader device 
match scores and automatically assigning the probabil- 
ity of occurrence value for each of the discrete levels of 
the biometric reader device match scores. 
[0021] In an embodiment of the present invention, the 

35 smart card, together with a biometric sample for the us- 
er, are presented to the reader device, which is device 
match scores and automatically assigning the probabil- 
ity of occurrence value for each of the discrete levels of 
the biometric reader device match scores. 

40 [0022] In an embodiment of the present invention, the 
smart card, together with a biometric sample for the us- 
er, are presented to the reader device, which is associ- 
ated with a terminal, such as at least one of an area 
access terminal, a computer network terminal, a com- 

45 puter access terminal, a stored value terminal, a mone- 
tary access terminal, a PBX terminal, a long distance 
terminal, a personal computer, a laptop computer, a per- 
sonal digital assistant, a public internet terminal, and an 
automated teller machine. The presented biometric 

50 sample is, for example, at least one of a voice print, pho- 
tograph, signature, fingerprint, hand geometry, retinal 
image, and an iris scan 

[0023] In an embodiment of the present invention, the 
user is automatically authenticated by the reader device 
55 based at least in part on a match level between the 
stored biometric information and the presented biomet- 
ric sample according to a desired probability of occur- 
rence value from the stored table. The desired probabil- 
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ity of occurrence value is pre-selected by pre-defining a 
desired probability of occurrence value for false accept- 
ance of an impostor and false rejection of a valid user 
and pre-defining an instruction set which directs the 
reader device to look to the stored table of probability of $ 
occurrence values for a false acceptance of an impostor 
and false rejection of a valid user threshold match score 
corresponding to the desired probability of occurrence 
value. The user authentication is performed by an ap- 
plication associated with the reader device and residing 10 
on the reader device and/or the terminal. 
[0024] Alternatively, in an embodiment of the present 
invention, in order to provide enhanced security, the us- 
er is automatically authenticated by an application on 
the smart card. For example, the reader device reads is 
the presented biometric sample and automatically 
presents what is read by the reader device to the smart 
card application. The smart card application then au- 
thenticates the user according to the threshold match 
score from the table on the smart card application that ?o 
corresponds to the desired probability of occurrence val- 
ue. 

[0025] Additional objects, advantages and novel fea- 
tures of the present invention will be set forth in part in 
the description which follows, and in part will become 25 
more apparent to those skilled in the art upon examina- 
tion of the following or may be learned by practice of the 
invention. 

Brief Description of the Drawings 30 
[0026] 

Fig. 1 is a table which illustrates examples of types 
of data used in measuring biometrics performance 35 
for an embodiment of the present invention; 
Fig. 2 shows a sample biometric reader device per- 
formance histogram for an embodiment of the 
present invention; 

Fig. 3 is a table which illustrates four possible out- *o 
comes of a single biometric reader device trial for 
an embodiment of the present invention; 
Fig. 4 is a diagram which illustrates an example of 
a receiver operating characteristic (ROC) curve for 
an embodiment of the present invention; 45 
Fig. 5 is a flow chart which shows somewhat sche- 
matically an overview of the key components and 
the flow of information between the key compo- 
nents for an embodiment of the present invention; 
Fig. 6 is a table which illustrates examples of the so 
type of data stored on the smart card for an embod- 
iment of the present invention; 
Fig. 7 is a table which shows a sample probability 
look-up table for an embodiment of the present in- 
vention; and 55 
Fig. 8 is a flow chart which provides further detail 
regarding the process of authenticating a user 
through match scoring of a sample biometric ob- 



tained from the user by a biometric reader device 
for an embodiment of the present invention. 

Detailed Description 

[0027] Referring now in detail to an embodiment of the 
present invention, an example of which is illustrated in 
the accompanying drawings, a number of methods can 
be used to quantitatively measure biometrics perform- 
ance. Fig. 1 is a table which illustrates examples of types 
of data used in measuring biometrics performance for 
an embodiment of the present invention. The types of 
data include, for example, performance histogram 2, 
False Accept Rate (FAR) and False Reject Rate (FRR) 
4, Equal Error Rate (EER) 6, Failure to Acquire (FTA) 8, 
and "d m and Receiver Operating Characteristic (ROC) 
plots 10. 

[0028] A basic way to look at data for quantitatively 
measuring the performance of biometrics is to inspect 
the performance histogram 2. Each time a trial is per- 
formed, the system returns a match score which is plot- 
ted in the histogram 2. Fig. 2 illustrates a sample bio- 
metric reader device performance histogram for an em- 
bodiment of the present invention. The histogram 2 has 
the match score 12 on the x-axis 14, from low scores 16 
toward the left side of the histogram to high scores 18 
toward the right side of the histogram. The number of 
cases attempted 20 is shown on the y-axis 22 of the his- 
togram 2. Valid users 24 have higher match scores 18 
and are shown on the right side of the histogram 2. Dis- 
tributions vary from device to device, but are commonly 
normally distributed as bell curves 26 and 28. Impostors 
30 have lower scores 16 and are shown on the left side 
of the histogram 2. Note also that there are usually fewer 
impostors 30 than valid users 24. 
[0029] Referring further to Fig. 2, the vertical line on 
the histogram, which separates the two distributions of 
scores 26, 28, is known as the threshold 32. If a user 
scores higher than the threshold 32, the user is accept- 
ed, but if the user scores lower than the threshold, the 
user is rejected. There are four possible outcomes of a 
single trial. Fig. 3 is a table with illustrates the four pos- 
sible outcomes of a single biometric reader device trial 
for an embodiment of the present invention. The four 
possible outcomes include, for example, Correct Accept 
34 of a customer, Correct Reject 36 of an impostor, 
False Accept or FA 38 of an impostor, and False Reject 
or FR 40 of a customer. The percentage of cases in the 
False Accept or FA 38 outcome is called the False Ac- 
cept Rate (FAR), and the percentage of cases in the 
False Reject or FR 40 outcome is called the False Reject 
Rate (FRR). 

[0030] Referring again to Fig. 2, if the threshold 32 is 
repositioned toward the left side of the histogram 2, few- 
er FR's 40 occur, but more FA's 38 occur. If the threshold 
32 is repositioned toward the right side of the histogram 
2, more FR's 40 occur, but fewer FA's 38 occur. This is 
the essential tradeoff made in the context of an applica- 
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tion for an embodiment of the present invention. An im- 
portant aspect of an embodiment of the present inven- 
tion is that the system and method of the present inven- 
tion automatically moves the threshold, and the per- 
formance of the biometric technology is independent of 
where the application positions the threshold 32. 
[0031] The system and method for an embodiment of 
the present invention moves the threshold 32 according 
to the objectives of greater security or rejecting fewer 
customers. Referring likewise to Fig. 2, if the objective 
is greater security, the threshold 32 is moved to a higher 
position. If the objective is to reject fewer customers, the 
threshold 32 is moved to a lower position. Therefore, 
comparing a system which has, for example, a stated 
performance level of 1 percent FAR and 1 0 percent FRR 
with another system that has, for example, a perform- 
ance level of 2 percent FAR and 8 percent FRR is anal- 
ogous to comparing apples with oranges. 
[0032] Different organizational constituencies typical- 
ly have different perspectives of the FRR and FAR. For 
example, a security professional may prefer to know 
what the FRR will be if the FAR is set to 0 percent, while 
a marketing professional may wish to know what the 
FAR will be if the FRR is set to 0 percent. The number 
that is disposed in the middle is the Equal Error Rate 
(ERR). To address the aspect of movable thresholds, 
another method of quoting performance is the EER. Re- 
ferring further to Fig. 2, to find the EER, the threshold 
32 is set so that the percentage of FAR equals the per- 
centage of FRR, and the overall error is calculated. For 
example, if the threshold 32 is set so that 5 percent of 
valid users 24 are rejected and 5 percent of impostors 
30 are accepted, the overall EER is 5 percent. This is 
the outcomes table of a 5 percent EER. 
[0033] Another measure of biometrics performance is 
called Failure to Acquire (FTA) 8, which is the failure of 
the system to find a signal to analyze. For example, in 
the fingerprint area, this is known as the 'presentation 
problem.' If a user does not place the user's finger on 
the scanner with the right orientation, or if the user 
moves the user's finger while the system is scanning, 
the resulting image cannot be processed. Likewise, in 
a speech system, if the user does not speak loudly 
enough, or if there is line noise or a bad connection, the 
system can fail to find the words. In a face verification 
system, the system may not be able to find a head in 
the proper frame it expects, and hence fails to acquire 
the photo. FTA 8 is often a result of human factor prob- 
lems, mainly due to the amount of training a user may 
have or the amount of work a user must do to make the 
biometric work. 

[0034] A numerical description of the degree of sep- 
aration of two distributions, such as the scores of the 
valid users 24 and the scores of the impostors 30, known 
as "d\" is available from statistical decision and signal 
detection theory, and is related to the Neyman-Pearson 
equations describing distributions. It is defined accord- 
ing to the equation: 



d' = (m2 - m1)/sqrt [sd1 2 + sd2 2 )/2] 

in which n d'" is equal to the difference between the 
5 means of the distributions divided by the square root of 
the average of the squares of the standard deviations 
of the distributions. 

[0035] Fig. 4 is a diagram which illustrates an example 
of a receiver operating characteristic (ROC) curve 42 for 

10 an embodiment of the present invention. Referring to 
Fig. 4, the Probability of False Reject or P(FR) 44 is plot- 
ted on the y-axis 46, and the Probability of False Accept- 
ance or P(FA)) 48 is plotted on the x-axis 50. As previ- 
ously mentioned, there is a tradeoff by moving the 

15 threshold, for example, higher and rejecting more valid 
users 23 but also keeping out more impostors 30. This 
tradeoff is shown as the ROC curve 42. In the ROC 
curve 42, points near the origin (0, 0) 52 represent op- 
erating the biometric with some FA 38 and FR 40, 

20 whereas points at the ends of the line represent thresh- 
olds which are set very high or very low. For example, 
the threshold can be set high, such that P(FA) 48 is low 
and P(FR) 44 is high, or the threshold can be set low, 
such that P(FA) 48 is high while P(FR) 44 is low. 

25 [0036] Fig. 5 is a flow chart which shows somewhat 
schematically the key components and the flow of infor- 
mation between the key components for an embodiment 
of the present invention. Referring to Fig. 5, the system 
and method for biometric authentication of a smart card 

30 user 54 for an embodiment of the present invention in- 
volves storing certain information fields 56 in an appli- 
cation 58 on a microprocessor 60 embedded in the 
smart card 62, along with a biometric sample 64 itself. 
The information fields 56 include system identification 

35 and personal data, as well as a hashed data field, which 
is decoded by the system during the authentication 
process to certify the integrity of the information param- 
eters. 

[0037] Referring further to Fig. 5, additionally, the ap- 
^0 plication 58 on the smart card 62 includes a probability 
look-up table 66 which quantifies a reader device per- 
formance histogram distribution into discrete levels of 
match score 12 and assigns a corresponding probability 
factor to each level for both false acceptances of impos- 
es tors 30 and false rejections of valid users 24. The system 
reader device 68 is programmed with a desired Proba- 
bility of False Acceptances or P(FA)'s 48 and False Re- 
jections or P(FR)'s 44. The system reader 68 is also pro- 
grammed with an instruction routine that tells the system 
so signal processor to look to the probability look-up table 
66 on the card 62 to determine the false acceptances 
or false rejections threshold match score corresponding 
to the desired probability factor, to be used for authen- 
tication. 

55 [0038] An embodiment of the present invention pro- 
vides an architecture which allows flexibility in applica- 
tion design. Since application requirements vary in 
terms of risk, user populations, channel properties and 
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cost, the system and method for an embodiment of the 
present invention supports a wide range of these prop- 
erties. Biometric technology provides a type of security 
that is qualitatively different from that provided by token- 
based methods and information based methods. Token 5 
based methods make use of something that a user has, 
such as the card itself, and information-based methods 
utilize something that the user knows, such as a PIN or 
password. Biometric technology for an embodiment of 
the present invention can be used in addition to these '0 
other methods or by itself. 

[0039] In embodiment of the present invention, the 
use of biometric technology in conjunction with the 
smart card 62 makes the card application 58 more se- 
cure, thereby reducing the risk of fraudulent or unau- *5 
thorized use. This allows for the implementation of high- 
er-valued applications. Further, such use of biometric 
technology provides for non-repudiation of a transaction 
by the user 54 using the user's smart card 62, so the 
user cannot deny a transaction performed by the user 20 
with the smart card. In other words, use of biometric 
technology in conjunction with the smart card 62 unde- 
niably ties the user 54 to use of the smart card by the 
user. In addition, by putting the biometric template 64 
on the card 62, application design requirements are sim- 25 
plified, since network traffic is eliminated or greatly re- 
duced. This also enhances security and privacy, since 
it is unnecessary to transmit the template 64 around to 
different locations where it is needed. 
[0040] The system and method for an embodiment of 30 
the present invention has numerous applications, such 
as secure area access, computer network and computer 
access, stored value or other monetary access, PBX 
and long distance access. Each of such applications has 
different requirements in terms of risk, environment, us- 35 
er, channel and cost. In terms of risk, a transaction 
which, for example, transfers a million dollars to a num- 
bered Swiss bank account has a higher risk than one 
which simply returns a user's bank account balance. 
Gaining access, for example, to a nuclear weapons fa- 40 
cility or to war plans or lists of secret agents carries a 
greater risk than gaining access to an officer's club or 
DISNEY WORLD. An objective of the application de- 
signer is to set application operating thresholds as tight- 
ly or as loosely as is appropriate for the particular risk 45 
involved. 

[0041] In terms of environment, an office environment 
is different, for example, from an outdoor setting in a 
public space or a freezing border crossing station. While 
a face verification system works well, for example, in an so 
office environment, it may not work in a public space 
where the lighting and background is uncontrolled. Like- 
wise, a hand geometry unit will not work well at the freez- 
ing border station, unless heated in some way, but a 
speaker verification system may work. In regard to the 55 
user, if a user uses a particular system frequently, the 
user soon becomes habituated to the system. Since hu- 
man factors are an important part of overall system per- 



formance, a habituated user typically obtains better sys- 
tem performance than an unhabituated user on any giv- 
en biometric. Some biometric methods are easier to 
(earn and faster to use than others, so the type of user 
that is anticipated is an important factor in the selection 
and deployment of a biometric. 
[0042] In terms of channel, some biometrics are more 
appropriate than others, depending on the channel of 
use. For example, for long distance or cell phone ac- 
cess, speaker verification is more natural and efficient 
than, for example, fingerprinting. Secure area access 
method choice depends on the environment, but signa- 
ture verification may be more difficult than a camera 
based method, given the fact that the user may be car- 
rying packages or the like and standing, or the user may 
be in a wheelchair. However, for a point of sale terminal, 
if a signature is required in a credit card transaction an- 
yway, and if the merchant is moving to a paper-less busi- 
ness and the terminal has a pressure sensitive tablet for 
signature capture, then signature verification may be the 
most appropriate biometric method. 
[0043] Other channels include, for example, the per- 
sonal computer (PC) at home. Since many people only 
have one phone line into their home, deploying voice 
authentication may be cumbersome. However, a less 
cumbersome method may be a camera based method, 
since people may have cameras for other purposes, 
such as video teleconferencing. Other channels include, 
for example, laptop, personal digital assistant (PDA), 
public internet terminals, automated teller machines 
(ATM's), vehicles, and the like. 
[0044] In terms of cost, there are a number of deter- 
minants of cost of a biometric, including the cost of en- 
rollment, such as workstations, user time and monitor- 
ing, if supervised. Other cost factors include, for exam- 
ple, the cost of an access trial, such as user time, hard- 
ware and software and operations costs amortized over 
the number of verifications in the expected duration of 
the system, and the cost of storing the templates, such 
as the size of the template divided by cost of storage. 
To illustrate an example of the range of costs, a speaker 
verification system can be deployed for a telephone net- 
work that costs approximately $5,000 per channel for a 
processor capable of performing up to 5 verifications a 
minute. If the system performs 300 verifications an hour, 
24 hours a day, 7 days a week, 360 days a year, after 3 
years when the system is presumed obsolete, the cost 
per verification is about 6 cents per hundred verifica- 
tions. 

[0045] On the other hand, to illustrate another exam- 
ple of the range of costs, an iris scanner at a secure 
room portal might also cost about $5,000, but traffic 
through the portal might only be 30 verifications an hour 
or less, so the cost per verification for the iris scanner 
is proportionally greater than for speaker verification. As 
for template size, a hand geometry unit requires only 9 
bytes of storage per template, whereas some fingerprint 
units and voice units require upwards of a kilobyte per 
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template. Since memory costs on smart cards are not 
inexpensive, and the amount of time it takes to transfer 
the data off the card, in the case of matching template 
to signal off the card, is proportional to the size of the 
template, template size is an important consideration. 5 
[0046] In an embodiment of the present invention, a 
smart card parameter protocol mandates that certain in- 
formation fields 56 are stored on the card 62, in addition 
to the biometric sample 64 itself. These information 
fields 56 include system identification and personal da- 10 
ta, as well as a hashed data field, which is decoded by 
the system during the authentication process to certify 
the integrity of the information parameters. Fig. 6 is a 
table which illustrates examples of the type of data 
stored on the smart card 62 for an embodiment of the *5 
present invention. 

[0047] Referring to Fig. 6, the content of the first six 
fields includes, for example, method 70, vendor 72, re- 
lease 74, template 64, last updated 78, and first enrolled 
80. The method field 70 relates to the biometric technol- 20 
ogy employed, such as fingerprint. The vendor field 72 
identifies the particular vendor, such as SONY. The re- 
lease field 74 specifies a release number, such as 1.0. 
The template field 64 is the particular template, and the 
last updated and first enrolled fields 78, 80 indicate 25 
dates. Referring further to Fig. 6, the hash value 82 is a 
value which is arrived at by hashing everything in the 
record. This can be transmitted elsewhere to authenti- 
cate the validity of the template 64. 
[0048] Another aspect of an embodiment of the 30 
present invention is that the card 62 also includes a 
probability look-up table 66 which quantifies the reader 
device performance histogram distribution into discrete 
levels of match score, such as 200, 300, 400, and so 
on, and assigns a corresponding probability factor to 35 
each level. Fig. 7 is a table which shows a sample prob- 
ability look-up table 66 for an embodiment of the present 
invention. Referring to Fig. 7, the probability look-up ta- 
ble 66 includes an array of threshold match scores that 
are interpreted by the application 58. For example, for 40 
a False Accept Rate or FAR of less than 1 in 100, the 
match value between the template 64 and the presented 
signal must be greater than 200. Alternatively, for a 
False Reject Rate or FRR of less than 1 in one million, 
a threshold match score of 400 is used. This is done for 45 
both FA 38 and FR 40. 

[0049] In an embodiment of the present invention, the 
system reader 68 is programmed with a desired P(FA) 
48 or P(FR) 44 rather than with a fixed threshold match 
score. The system reader 68 is also programmed with so 
an instruction routine that tells the system signal proc- 
essor to look to the probability look-up table 66 on the 
card 62 to determine the desired probability factor's cor- 
responding FA 38 or FR 40 threshold match score to be 
used for authentication. This aspect reduces the cost of 55 
new system releases, since the application software 
may remain the same and only the cards have to be re- 
programmed, instead of both the system and the cards 



as in the prior art. In addition, the cards may be pro- 
grammed for personalized authentication, for example, 
at either a higher or lower security level, on an individual 
basis, instead of one value fits all. 
[0050] In an embodiment of the present invention, the 
user 54 is authenticated through match scoring of a 
sample biometric obtained from the user by the biomet- 
ric reader device 68. Fig. 8 is a flow chart which provides 
further detail regarding the process of authenticating a 
user through match scoring of a sample biometric ob- 
tained from the user by a biometric reader device for an 
embodiment of the present invention. At S1 , a biometric 
template 64 for the user 54 is stored in an application 
58 on a microprocessor 60 of the smart card 62, along 
with information fields 56, including system identification 
and personal data for the user. At S2, a look-up table 66 
based on a tabulation of performance histogram distri- 
bution of biometric reader device match scores for false 
acceptance or FA 38 and false rejection or FR 40 into 
value ranges, with each value range identified by a 
threshold match score and each threshold match score 
assigned a corresponding probability of occurrence val- 
ue P(FA) 48 and P(FR) 44, is also stored on the smart 
card application 58. 

[0051] Referring further to Fig. 8, at S3, the user 54 
presents the smart card 58, along with a new biometric 
sample for the user, to the biometric reader device 68 
pre-programmed with a desired probability of occur- 
rence value and with an instruction set that commands 
the reader device to look to the look-up table 66 on the 
card 58 for the threshold match score associated with 
the desired probability to be used for authentication of 
the user. At S4, the reader device 58 compares the new 
biometric sample for the user 54 with the user's biomet- 
ric template 64 stored on the smart card 62, identifies 
the threshold match score associated with the desired 
probability of occurrence value, and authenticates the 
user on the basis of the identified threshold match score. 
[0052] It is clear that there is no 'one biometric fits all' 
for every application, nor is there one operating thresh- 
old that is appropriate for all applications. An embodi- 
ment of the present invention provides a flexible archi- 
tecture format for storing biometrics on smart cards that 
is independent of application or biometric methodology 
or vendor. In an embodiment of the present invention, 
threshold match scores are no longer 'hardwired' in a 
specific application to a specific method, vendor and 
specific release. The same architecture applies no mat- 
ter what the risk, vendor, biometric method or release. 
Thresholds and methods are determined, and probabil- 
ity density functions of various vendors, methods and 
releases are derived in order to fill in the threshold match 
scores. Thus, an embodiment of the present invention 
supports different methods, vendors and releases, and 
allows for flexibility in application deployment. 
[0053] Various preferred embodiments of the present 
invention have been described in fulfillment of the vari- 
ous objects of the invention. It should be recognized that 
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these embodiments are merely illustrative of the princi- 
ples of the present invention. Numerous modifications 
and adaptations thereof will be readily apparent to those 
skilled in the art without departing from the spirit and 
scope of the present invention. Accordingly, the inven- 5 
tion is limited only by the following claims. 



Claims 

10 

1. A method of authenticating a smart card user at a 
reader device, comprising: 

storing information fields for the user on the 
smart card, wherein the information fields com- * 5 
prise biometric information for the user and a 
table of pre-defined probability of occurrence 
values for user authentication; 
presenting the smart card and a biometric sam- 
ple for the user to the reader device; and ?o 
automatically authenticating the user based at 
least in part on the match level between the 
stored biometric information and the presented 
biometric sample, 

calculating a match level between: 25 

(a) the biometric information for the user 
that is stored on the smart card and 

(b) the biometric sample for the user that is 
presented to the reader device; 30 

characterized by 

storing the information fields relating to the ta- 
ble of pre-defined probability of occurrence val- 35 
ues for user authentication further comprises 
automatically assigning a probability of occur- 
rence value to each of a plurality of pre-defined 
threshold match scores; 

programming the reader device with: 40 

(a) a desired probability of occurrence val- 
ue and 

(b) an instruction set directing the reader 
device to look to the table stored on the *5 
smart card to obtain the threshold match 
score that corresponds to the desired prob- 
ability of occurrence value; 

comparing the calculated match level with the so 
threshold match score that is obtained from the 
table stored on the smart card; and 
authenticating the user if the calculated match 
level is greater than the threshold match score 
that is obtained from the table stored on the 55 
smart card. 

2. The method of claim 1 , wherein storing the informa- 



tion fields relating to the biometric information for 
the user further comprises storing a biometric tem- 
plate for the user 

3. The method of claim 2, wherein storing the biomet- 
ric template further comprises storing at least one 
model of biometric patterns for the user selected 
from a group of biometric patterns consisting of 
voice print, photograph, signature, fingerprint, hand 
geometry, retinal image, and iris scan. 

4. The method of claim 1, wherein automatically as- 
signing the probability of occurrence values further 
comprises automatically identifying the threshold 
match scores for each of a plurality of value ranges 
of biometric reader device match scores. 

5. The method of claim 4, wherein automatically iden- 
tifying the threshold match scores further comprises 
automatically tabulating a performance histogram 
distribution ofbiometric reader device match scores 
for false acceptance of an impostor and false rejec- 
tion of a valid user into the plurality of value ranges. 

6. The method of claim 5, wherein automatically tab- 
ulating the performance histogram distribution fur- 
ther comprises automatically quantifying the per- 
formance histogram distribution into discrete levels 
of the biometric reader device match scores. 

7. The method of claim 6, wherein automatically tab- 
ulating the performance histogram distribution fur- 
ther comprises automatically assigning the proba- 
bility of occurrence value for each of the discrete 
levels of the biometric reader device match scores. 

8. The method of claim 1 , wherein storing the informa- 
tion fields further comprises storing personal data 
for the user on the smart card. 

9. The method of claim 1 , wherein storing information 
fields further comprises storing information related 
to identification of a biometric system on the smart 
card. 

10. The method of claim 1, wherein storing the informa- 
tion fields further comprises storing a hashed data 
field on the smart cared. 

1 1 . The method of claim 1 , wherein storing the informa- 
tion fields further comprises storing the information 
fields in an application on the smart card. 

12. The method of claim 11, wherein storing the infor- 
mation fields in the application further comprises 
storing the information fields in an application on a 
microprocessor of the smart card. 
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13. The method of claim 1, wherein presenting the value between the stored biometric information and 
smart card further comprises presenting the smart the biometric sample is at least a pre-determined 
card to the reader device associated with a terminal level, and for a desired false rejection rate, the 

match value is less than a pre-determined level. 

14. The method of claim 13, wherein the terminal fur- 5 

ther comprises at least one of an area access ter- 22. The method of claim 1 , wherein automatically au- 

minal, a computer network terminal, a computer ac- thenticating further comprise automatically authen- 

cess terminal, a stored value terminal, a monetary ticating the user by an application associated with 

access terminal, a PBX terminal, a long distance the reader device, 

terminal, a personal computer, a laptop computer, 10 

a personal digital assistant, a public internet termi- 23. The method of claim 22, wherein automatically au- 

nal, and an automated teller machine. thenticating further comprises automatically au- 
thenticating the user by an application residing at 

15. The method of claim 1 , wherein presenting the bio- least in part on the reader device, 
metric sample further comprises presenting the bi- is 

ometric sample to the reader device associated with 24. The method of claim 22, wherein automatically au- 

a terminal. thenticating further comprising automatically au- 
thenticating the user by an application residing at 

16. The method of claim 1 5, wherein the terminal fur- least in part on a terminal associated with the reader 
ther comprises at least one of an area access ter- 20 device. 

minal, a computer network terminal, a computer ac- 
cess terminal, a stored value terminal, a monetary 25. The method of claim 1, wherein automatically au- 
access terminal, a PBX terminal, a long distance thenticating further comprises automatically au- 
terminal, a personal computer, a laptop computer, thenticating the user by an application associated 
a personal digital assistant, a public internet termi- 25 with the smart card, 
nal, and an automated teller machine. 

26. The method of claim 25, wherein automatically au- 

17. The method of claim 1, wherein presenting the bio- thenticating further comprises automatically au- 
metric sample further comprises presenting at least thenticating the user by an application residing at 
one biometric sample selected from a group of bio- 30 least in part on the smart card. 

metric samples consisting of voice print, photo- 
graph, signature, fingerprint, hand geometry, retinal 27. A system for authenticating a smart card user at a 
image, and iris scan. reader device, comprising: 



18. The method of claim 1, wherein automatically au- 35 
thenticating further comprises pre-selecting the de- 
sired probability of occurrence value. 

19. The method of claim 18, wherein pre-selecting the 
desired probability of occurrence value further com- 40 
prises pre-defining a desired probability of occur- 
rence value for false acceptance of an impostor and 
false rejection of a valid user. 

20. The method of claim 19, wherein pre-defining the 45 
desired probability of occurrence value further com- 
prises pre-defining an instruction set directing the 
reader device to look to the stored table of proba- 
bility of occurrence values for a false acceptance of 

an impostor and false rejection of a valid user 50 
threshold match score corresponding to the desired 
probability of occurrence value. 

21. The method of claim 20, wherein automatically au- 
thenticating further comprises automatically select- 55 
ing the false acceptance of an impostor and false 
rejection of a valid user threshold match score, such 
that for a desired false acceptance rate, a match 



means for storing information fields for the user 
on the smart card, wherein the information 
fields comprise biometric information for the us- 
er and a table of pre-defined probability of oc- 
currence values for user authentication; 
means for presenting the smart card and a bi- 
ometric sample for the user to the reader de- 
vice; and 

means for automatically authenticating the user 
based at least in part on the match level be- 
tween the stored biometric information and the 
presented biometric sample, 
means for calculating a match level between: 

(a) the biometric information for the user 
that is stored on the smart card and 

(b) the biometric sample for the user that is 
presented to the reader device; 

characterized by 

said means for storing the information fields relating 
to the table of pre-defined probability of occurence 
values for user authentication further automatical- 
ly assignes a probability of occurence value to each 
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of a plurality of pre-defined threshold match scores; 
means for programming the reader device with: 

(a) a desired probability of occurrence val- 5 
ue and 

(b) an instruction set directing the reader 
device to look to the table stored on the 
smart card to obtain the threshold match 
score corresponding to the desired proba- 10 
bility of occurrence value; 

means for comparing the calculated match lev- 
el with the threshold match score that is ob- 
tained from the table stored on the smart card; *5 
and 

wherein the user is authenticated if the calcu- 
lated match level is greater than the threshold 
match score that is obtained from the table 
stored on the smart card. 20 

28. The system of claim 27, wherein the means for stor- 
ing the information fields further comprises an ap- 
plication on the smart card. 

25 

29. The system of claim 28, wherein the application on 
the smart card further comprises an application on 
a microprocessor of the smart card. 

30. The system of claim 29, wherein the means for pre- 30 
senting the smart card and the biometric sample fur- 
ther comprises a reader device associated with a 
terminal. 

31 . The system of claim 30, wherein the means for pre- 35 
senting the smart card and the biometric sample fur- 
ther comprises an application associated with the 
reader device. 

32. The system of claim 31 , wherein the terminal further <o 
comprises at least one of an area access terminal, 

a computer network terminal, a computer access 
terminal, a stored value terminal, a monetary ac- 
cess terminal, a PBX terminal, a long distance ter- 
minal, a personal computer, a laptop computer, a 45 
personal digital assistant, a public internet terminal, 
and an automated teller machine. 

33. The system of claim 27, wherein the means for au- 
tomatically authenticating the user further compris- so 
es an application associated with the reader device. 

34. The system of claim 33, wherein the reader device 
is associated with a terminal. 

55 

35. The system of claim 34, wherein the terminal further 
comprises at least one of an area access terminal, 
a computer network terminal, a computer access 



terminal, a stored value terminal, a monetary ac- 
cess terminal, a computer access terminal, a stored 
value terminal, a monetary access terminal, a PBX 
terminal, a long distance terminal, a personal com- 
puter, a laptop computer, a personal digital assist- 
ant, a public internet terminal and an automated tell- 
er machine. 

36. The system of claim 27, wherein the means for au- 
tomatically authenticating further comprises an ap- 
plication associated with the smart card. 



Patentanspruche 

1 . Verfahren zum Authentifizieren eines Benutzers ei- 
ner Chip-Karte an einer Lesevorrichtung, umfas- 
send: 

Speichern von Informationsfeldern fur den Be- 
nutzer auf der Chip-Karte, wobei die Informati- 
onsfelder biometrische Information fur den Be- 
nutzer und eine Tabelle mit vordefinierten Wer- 
ten einer Auftrittswahrscheinlichkeit fiir eine 
Authentifizierung eines Benutzers umfassen; 
Vorlegen der Chip-Karte und einer biometri- 
schen Probe fur den Benutzer der Lesevorrich- 
tung; und 

Berechnen eines Ubereinstimmungsniveaus 
zwischen: 

(a) der biometrischen Information fur den 
Benutzer, welche auf der Chip-Karte ge- 
speichert ist und 

(b) der biometrischen Probe fur den Benut- 
zer, welche der Lesevorrichtung vorgelegt 
wird; 

automatisches Authentifizieren des Benutzers, 
das mindestens teilweise auf dem Ubereinstim- 
mungsniveau zwischen der gespeicherten bio- 
metrischen Information und der vorgelegten 
biometrischen Probe basiert, 

gekennzeichnet durch: 

Speichern der Informationsfelder, die die Tabel- 
le der vordefinierten Werte der Auftrittswahr- 
scheinlichkeiten fiir die Authentifizierung des 
Benutzers betreffen, ferner umfassend ein au- 
tomatisches Zuweisen eines Wertes der Auf- 
trittswahrscheinlichkeit zu jedem einer Vielzahl 
von vordefinierten Obereinstimmungsschwell- 
werten; 

Programmieren der Lesevorrichtung mit: 

(a) einem gewunschten Wert der Auftritts- 
wahrscheinlichkeit; und 
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(b) einem Befehlssatz, derdie Lesevorrich- 
tung lenkt, in der auf der Chip-Karte ge- 
speicherten Tabelle nachzusehen, urn den 
Ubereinstimmungsschwellwert zu erhal- 
ten, der dem gewunschten Wert der Auf- 5 
trittswahrscheinlichkeit entspricht; 

Vergleichen des berechneten Ubereinstim- 
mungsniveaus mit dem Ubereinstimmungs- 
schwellwert, der aus der auf der Chip-Karte ge- 10 
speicherten Tabelle erhalten wlrd; und 
Authentifizieren des Benutzers, falls das be- 
rechnete Ubereinstimmungsniveau groBer ist 
als der Ubereinstimmungsschwellwert, der aus 
der auf der Chip-Karte gespeicherten Tabelle « 
erhalten wird. 

2. Verfahren gemaB Anspruch 1 , wobei das Speichern 
der Informationsfelder, die die biometrische Infor- 
mation fur den Benutzer betreffen, femer das Spei- 20 
chern einer biometrischen Vorlage fur den Benutzer 
umfasst. 

3. Verfahren gemaB Anspruch 2, wobei das Speichern 
der biometrischen Vorlage ferner ein Speichern 25 
mindestens eines Modells von biometrischen Mu- 
stern fur den Benutzer umfasst, die aus einer Grup- 

pe von biometrischen Mustern ausgewahlt werden, 
die Stimmabdruck, Lichtbild, Unterschrift, Finger- 
abdruck, Handgeometrie, Netzhautbild und Irisab- 30 
tastung enthalten. 

4. Verfahren gemaB Anspruch 1 , wobei ein automati- 
sches Zuweisen der Werte der Auftrittswahrschein- 
lichkeit ferner ein automatisches Identifizieren der 35 
Ubereinstimmungsschwellwerte fur jeden einer 
Vielzahl von Wertebereichen der Ubereinstim- 
mungswerte der biometrischen Lesevorrichtung 
umfasst. 

40 

5. Verfahren gemaB Anspruch 4, wobei das automa- 
tische Identifizieren der Ubereinstimmungsschwell- 
werte ferner ein automatisches Tabellarisieren ei- 
ner Leistungs-Histogramm-Verteilung von Oberein- 
stimmungswerten der biometrischen Lesevorrich- 45 
tung fur die falsche Anerkennung eines Betruger 
und falsche Ablehnung eines gultigen Benutzers in 

die Vielzahl von Wertebereichen umfasst. 

6. Verfahren gemaB Anspruch 5, wobei das Tabellari- so 
sieren der Leistungs-Histogramm-Verteilung ferner 

ein automatisches Quantifizieren der Leistungs-Hi- 
stogramm-Verteilung in diskrete Niveaus der Uber- 
einstimmungswerte der biometrischen Lesevorrich- 
tung umfasst. 55 

7. Verfahren gemaB Anspruch 6, wobei das Tabellari- 
sieren der Leistungs-Histogramm-Verteilung ferner 



ein automatisches Zuweisen des Wertes der Auf- 
trittswahrscheinlichkeit fur jedes der diskreten Ni- 
veaus der Ubereinstimmungswerte der Lesevor- 
richtung umfasst. 

8. Verfahren gemaB Anspruch 1 , wobei das Speichern 
der Informationsfelder ferner ein Speichern von 
personlichen Daten des Benutzers auf der Chip- 
Karte umfasst. 

9. Verfahren gemaB Anspruch 1 , wobei das Speichern 
der Informationsfelder ferner ein Speichern einer 
Information, die das identifizieren eines biometri- 
schen Systems betrifft, auf der Chip-Karte umfasst. 

1 0. Verfahren gemaB Anspruch 1 , wobei das Speichern 
der Informationsfelder femer ein Speichern eines 
Hash-Datenfeldes auf der Chip-Karte umfasst. 

1 1 . Verfahren gemaB Anspruch 1 , wobei das Speichern 
der Informationsfelder ferner ein Speichern der In- 
formationsfelder in eine Anwendung auf der Chip- 
Karte umfasst. 

12. Verfahren gemaB Anspruch 11, wobei das Spei- 
chern der Informationsfelder in der Anwendung fer- 
ner ein Speichern der Informationsfelder in einer 
Anwendung auf einem Mikroprozessor der Chip- 
Karte umfasst. 

13. Verfahren gemaB Anspruch 1 , wobei das Vorlegen 
der Chip-Karte ferner ein Vorlegen der Chip-Karte 
der Lesevorrichtung umfasst, die einem Endgerat 
zugeordnet ist. 

14. Verfahren gemaB Anspruch 13, wobei das Endge- 
rat ferner mindestens ein Bereichszugangsendge- 
rat, ein Computernetzwerkendgerat, ein Computer- 
zugangsendgerat, ein Speicherwertendgerat, ein 
Wahrungszugangsendgerat, ein PBX Endgerat, ein 
Fernendgerat, ein Persona Icomputer, ein Laptop- 
computer, ein personlicher digitaler Assistent, ein 
offentliches Intemetendgerat und ein Geldautomat 
umfasst. 

15. Verfahren gemaB Anspruch 1, wobei das Vorlegen 
der biometrischen Probe ferner ein Vorlegen der 
biometrischen Probe der Lesevorrichtung umfasst, 
die einem Endgerat zugeordnet ist. 

16. Verfahren gemaB Anspruch 15, wobei das Endge- 
rat ferner mindestens ein Bereichszugangsendge- 
rat, ein Computernetzwerkendgerat, ein Computer- 
zugangsendgerat, ein Speicherwertendgerat, ein 
Wahrungszugangsendgerat, ein PBX Endgerat, ein 
Fernendgerat, ein Persona Icomputer, ein Laptop- 
computer, ein personlicher digitaler Assistent, ein 
offentliches Intemetendgerat und ein Geldautomat 



11 



21 



EP0 956 818 B1 



22 



umfasst. 



der Lesevorrichtung befindet. 



17. Verfahren gemaB Anspruch 1, wobei das Vorlegen 
der biometrischen Probe ferner ein Vorlegen min- 
destens einer biometrischen Probe ausgewahlt aus 5 
einer Gruppe von biometrischen Proben umfasst, 
die Stimmabdruck, Lichtbild, Unterschrift, Finger- 
abdruck, Handgeometrie, Netzhautbild und Irisab- 
tastung enthalten. 

10 

18. Verfahren gemaB Anspruch 1, wobei das Automa- 
tische Authentifizieren ferner ein Vor-Auswahlen 
des gewunschten Wertes der Auftrittswahrschein- 
lichkeit umfasst. 

15 

19. Verfahren gemaB Anspruch 1 8, wobei das Vor-Aus- 
wahlen des gewunschten Wertes der Auftrittswahr- 
scheinlichkeit ferner ein Vordefinieren eines ge- 
wunschten Wertes der Auftrittswahrscheinlichkeit 

fur die falsche Anerkennung eines Betrugers und 20 
falsche Ablehnung eines gultigen Benutzers um- 
fasst. 

20. Verfahren gemaB Anspruch 19, wobei das Vordefi- 
nieren des gewunschten Wertes der Auftrittswahr- 25 
scheinlichkeit ferner ein Vordefinieren eines Befehl- 
satzes umfasst, der die Lesevorrichtung lenkt, in die 
gespeicherte Tabelle der Werte der Auftrittswahr- 
scheinlichkeit der Ubereinstimmungsschwellwerte 

fur eine falsche Anerkennung eines Betrugers und 30 
falsche Ablehnung eines gultigen Benutzers nach- 
zusehen, die dem gewunschten Wert der Auftritts- 
wahrscheinlichkeit entsprechen. 

21 . Verfahren gemaB Anspruch 20, wobei das automa- 35 
tische Authentifizieren ferner ein automatisches 
Auswahlen des Ubereinstimmungsschwellwertes 

fur die falsche Anerkennung eines Betrugers und 
falsche Ablehnung eines gultigen Benutzers um- 
fasst, so dass fur eine gewunschte falsche Aner- 40 
kennungshaufigkeit ein Qbereinstimmungswert 
zwischen der gespeicherten biometrischen Infor- 
mation und der biometrischen Probe mindestens ei- 
nem vorherbestimmten Niveau entspricht, und fur 
eine falsche Ablehnungshaufigkeit der Uberein- 45 
stimmungswert kleiner ist als ein vorherbestimmtes 
Niveau. 

22. Verfahren gemaB Anspruch 1, wobei das automa- 
tische Authentifizieren ferner ein automatisches 50 
Authentifizieren des Benutzers durch eine Anwen- 
dung umfasst, die der Lesevorrichtung zugeordnet 

ist. 

23. Verfahren gemaB Anspruch 22, wobei das automa- 55 
tische Authentifizieren ferner ein automatisches 
Authentifizieren des Benutzers durch eine Anwen- 
dung umfasst, die sich mindestens zu einem Teil auf 



24. Verfahren gemaB Anspruch 22, wobei das automa- 
tische Authentifizieren ferner ein automatisches 
Authentifizieren des Benutzers durch eine Anwen- 
dung umfasst, die sich mindestens zu einem Teil auf 
einem Endgerat befindet, das der Lesevorrichtung 
zugeordnet ist. 

25. Verfahren gemaB Anspruch 1, wobei das automa- 
tische Authentifizieren ferner ein automatisches 
Authentifizieren des Benutzers durch eine Anwen- 
dung umfasst, die der Chip-Karte zugeordnet ist. 

26. Verfahren gemaB Anspruch 25, wobei das automa- 
tische Authentifizieren ferner ein automatisches 
Authentifizieren des Benutzers durch eine Anwen- 
dung umfasst, die sich mindestens zu einem Teil auf 
der Chip-Karte befindet. 

27. System zum Authentifizieren eines Benutzers einer 
Chip-Karte an einer Lesevorrichtung, umfassend: 

Mittel zum Speichern von Informationsfelder fur 
den Benutzer auf der Chip-Karte, wobei die In- 
formationsfelder biometrische Information fur 
den Benutzer und eine Tabelle mit vordefinier- 
ten Werten der Auftrittswahrscheinlichkeit fur 
die Authentifizierung des Benutzers umfasst; 
Mittel zum Vorlegen der Chip-Karte und einer 
biometrischen Probe fur den Benutzer der Le- 
sevorrichtung; und 

Mittel zum Berechnen eines Ubereinstim- 
mungsniveaus zwischen: 

(a) der biometrischen Information fur den 
Benutzer, welche auf der Chip-Karte ge- 
speichert ist und 

(b) der biometrischen Probe fur den Benut- 
zer, welche der Lesevorrichtung vorgelegt 
wird; 

- Mittel zum automatischen Authentifizieren des 
Benutzers, das mindestens teilweise auf dem 
Ubereinstimmungsniveau zwischen der ge- 
speicherten biometrischen Information und der 
vorgelegten biometrischen Probe basiert, 

gekennzeichnet 

dadurch, dass das Mittel zum Speichern der 
Informationsfelder, die die Tabelle der vordefi- 
nierten Werten der Auftrittswahrscheinlichkeit 
fur die Authentifizierung des Benutzers betref- 
fen, ferner automatisch einen Wert der Auftritts- 
wahrscheinlichkeit jedem einer Vielzahl von 
vordefinierten Obereinstimmungsschwellwer- 
ten zuweist; 



12 



23 



EP0 956 818 B1 



24 



durch Mittel zum Programmieren der Lesevor- 
richtung mit: 

(a) einem gewunschten Wert der Auftritts- 
wahrscheintichkeit; und 

(b) einem Befehlssatz, der die Lesevorrich- 
tung lenkt, in der auf der Chip-Karte ge- 
speicherten Tabelle nachzusehen, um den 
Ubereinstimmungsschwellwert zu erhal- 
ten t der dem gewunschten Wert der Auf- 
trittswahrscheinlichkeit entspricht; 

durch Mittel zum Vergleichen des berechneten 
Ubereinstimmungsniveaus mit dem Uberein- 
stimmungsschwellwert, der aus der auf der 
Chip-Karte gespeicherten Tabelle erhalten 
wird; und 

wobei der Benutzer authentifiziert ist, falls das 
berechnete Ubereinstimmungsniveau gro&er 
ist als der Obereinstimmungsschwellwert, der 
aus der auf der Chip-Karte gespeicherten Ta- 
belle erhalten wird. 
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33. System gemali Anspruch 27, wobei das Mittel zum 
automatischen Authentifizieren des Benutzers fer- 
ner eine Anwendung umfasst, die der Lesevorrich- 
tung zugeordnet ist. 

34. System gemali Anspruch 33, wobei die Lesevor- 
richtung einem Endgerat zugeordnet ist. 
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28. System gemali Anspruch 27, wobei das Mittel zum 
Speichern der Informationsfelder ferner eine An- 25 
wendung auf der Chip-Karte umfasst. 

29. System gemali Anspruch 28, wobei die Anwendung 
auf der Chip-Karte ferner eine Anwendung auf ei- 
nem Mikroprozessor der Chip-Karte umfasst. 30 

30. System gemali Anspruch 29, wobei das Mittel zum 
Vorlegen der Chip-Karte und der biometrischen 
Probe ferner eine Lesevorrichtung umfasst, die ei- 
nem Endgerat zugeordnet ist. 35 

31. System gemaB Anspruch 30, wobei das Mittel zum 
Vorlegen der Chip-Karte und der biometrischen 
Probe ferner eine Anwendung umfasst, die der Le- 
sevorrichtung zugeordnet ist. 40 



32. System gemali Anspruch 31, wobei das Endgerat 
ferner mindestens ein Bereichszugangsendgerat, 
ein Computemetzwerkendgerat, ein Computerzu- 
gangsendgerat, ein Speicherwertendgerat, ein 
Wahrungszugangsendgerat, ein PBX Endgerat, ein 
Fernendgerat, ein Personalcomputer, ein Laptop- 
computer, ein personlicher digitaler Assistent, ein 
offentliches Internetendgerat und ein Geldautomat 
umfasst. 
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35. System gemali Anspruch 34, wobei das Endgerat 
ferner mindestens ein Bereichszugangsendgerat, 
ein Computemetzwerkendgerat, ein Computerzu- 
gangsendgerat, ein Speicherwertendgerat, ein 
Wahrungszugangsendgerat, ein PBX Endgerat, ein 
Fernendgerat, ein Personalcomputer, ein Laptop- 
computer, ein personlicher digitaler Assistent, ein 
offentliches Internetendgerat und ein Geldautomat 
umfasst. 

36. System gemSB Anspruch 27, wobei das Mittel zum 
automatischen Authentifizieren ferner eine Anwen- 
dung umfasst, die der Chip-Karte zugeordnet ist. 



Revendications 

1. Procede d'authentification d'un utilisateur de carte 
a memoire au niveau d'un dispositif de lecture, qui 
comprend : 

• le stockage de champs d'informations relatifs a 
I'utilisateur sur la carte a memoire, les champs 
d'informations comprenant des informations 
biometriques relatives a I'utilisateur et un ta- 
bleau de probability predefinie de valeurs d'oc- 
currence permettant I'authentification de 
I'utilisateur ; 

• la presentation de la carte a memoire et d'un 
echantillon biometrique reiatif a i'utilisateur au 
dispositif de lecture ; et 

• I'authentification automatique de I'utilisateur, 
au moins en partie sur la base du niveau de 
correspondance entre les informations biome- 
triques stockees et I'echantillon biometrique 
presente, 

le calcul d'un niveau de correspondance entre : 

(a) les informations biometriques relatives 
a I'utilisateur et stockees sur la carte a me- 
moire, et 

(b) I'echantillon biometrique reiatif a I'utili- 
sateur que Ton presente au dispositif de 
lecture ; 

caracterise par 

le stockage des champs d'informations concer- 
nant le tableau de probability predefinie de va- 
leurs d'occurrence permettant I'authentification 
de I'utilisateur comprend de plus Tassignation 
automatiquement d'une probability de valeur 
d'occurrence a chacun d'une plurality de sco- 
res seuils de correspondance predefinis ; 
- le fait de programmer le dispositif de lecture a 
I 'aide : 

(a) d'une probability voulue de valeur d'oc- 
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currence et 

(b) (fun ensemble constructions condul- 
sant le dispositif de lecture a consulter le 
tableau stocke sur la carte a memoire afin 
d'obtenir le score seuil de correspondance 5 
correspondant a la probabilite voulue de 
valeur d'occurrence ; 

la comparaison du niveau calcule de corres- 
pondance au score seuil de correspondance 10 
que Ton obtient a partir du tableau stocke sur 
la carte a memoire ; et 

authentication de I'utilisateur si le niveau cal- 
cule de correspondance est superieur au score 
seuil de correspondance obtenu a partir du ta- is 
bleau stocke sur la carte a memoire. 



bulation de la repartition en histogramme des per- 
formances comprend de plus ('assignation de la 
probabilite de la valeur d'occurrence pour chacun 
des niveaux discrets des scores de correspondan- 
ce du dispositif de lecture biometrique. 

8. Procede selon la revendication 1, dans lequel le 
stockage des champs d'informations comprend de 
plus le stockage de donnees personnelles relatives 
a I'utilisateur sur la carte a memoire. 

9. Procede selon la revendication 1, dans lequel le 
stockage des champs d'informations comprend de 
plus le stockage d'informations concernant I'identi- 
fication d'un systeme biometrique sur la carte a me- 
moire. 



2. Procede selon la revendication 1, dans lequel le 
stockage des champs d'informations concernant 
les informations biometriques relatives a I'utilisateur 20 
comprend de plus le stockage d'un modele biome- 
trique relatif a I'utilisateur. 



3. Procede selon la revendication 2, dans lequel le 
stockage du modele biometrique comprend de plus 25 
le stockage d'au moins un modele de references 
biometriques relatives a I'utilisateur, choisis a partir 
d'un groupe de references biometriques consistant 

en les elements suivants : I'empreinte vocale, 1a 
photographie, la signature, I'empreinte digitale, la 30 
geometrie de la main, I'image retinienne et le ba- 
layage de I'iris. 

4. Procede selon la revendication 1 , dans lequel I'as- 

sig nation de la probabilite des valeurs d'occurrence 35 
comprend de plus ('identification automatique des 
scores seuils de correspondance pour chacune 
d'une pluralite d'intervalles devaleurs de scores de 
correspondance du dispositif de lecture biometri- 
que. 40 

5. Procede selon la revendication 4, dans lequel 
('identification des scores seuils de correspondance 
comprend de plus la tabulation d'une repartition en 
histogramme des performances des scores de cor- 45 
respondance du dispositif de lecture biometrique, 
pour la fausse acceptation d'un imposteur et le rejet 
par erreur d'un utilisateur valide, parmi la pluralite 
d'intervalles devaleurs. 

50 

6. Procede selon la revendication 5, dans lequel la ta- 
bulation de la repartition en histogramme des per- 
formances comprend de plus ia quantification auto- 
matique de la repartition en histogramme des per- 
formances en niveaux discrets de scores de corres- 55 
pondance du dispositif de lecture biometrique. 

7. Procede selon la revendication 6, dans lequel la ta- 



10. Procede selon ia revendication 1, dans lequel le 
stockage des champs d'informations comprend de 
plus le stockage d'une zone de donnees hachees 
sur la carte a memoire. 

11. Procede selon la revendication 1, dans lequel le 
stockage des champs d'informations comprend de 
plus le stockage des champs d'informations dans 
une application sur la carte a memoire. 

12. Procede selon la revendication 11, dans lequel le 
stockage des champs d'informations dans ('applica- 
tion comprend de plus le stockage des champs d'in- 
formations dans une application sur un micropro- 
cesseur de la carte a memoire. 

13. Procede selon la revendication 1, dans lequel la 
presentation de la carte a memoire comprend de 
plus la presentation de la carte a memoire au dis- 
positif de lecture associe a un terminal. 

14. Procede selon la revendication 13, dans lequel le 
terminal comprend de plus au moins I'un des ele- 
ments suivants : un terminal a acces local, un ter- 
minal de reseau informatique, un terminal a acces 
informatique, un terminal a valeur memorisee, un 
terminal a acces monetaire, un terminal PBX, un 
terminal eloigne, un ordinateur personnel, un ordi- 
nateur portatif, un assistant numerique personnel, 
un terminal Internet public, et un guichet automati- 
que bancaire. 

15. Procede selon la revendication 1, dans lequel la 
presentation de I'echantillon biometrique comprend 
de plus la presentation de I'echantillon biometrique 
au dispositif de lecture associe a un terminal. 

16. Procede selon la revendication 15, dans lequel le 
terminal comprend de plus au moins I'un des ele- 
ments suivants : un terminal a acces local, un ter- 
minal de reseau informatique, un terminal a acces 
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informatique, un terminal a valeur memorisee, un 
terminal a acces monetaire, un terminal PBX, un 
terminal eloigne, un ordinateur personnel, un ordi- 
nateur portatif, un assistant numerique personnel, 
un terminal Internet public, et un guichet automati- 5 
que bancaire. 

17. Procede selon (a revendication 1, dans lequel la 
presentation de I'ychantillon biometrique comprend 
de plus la presentation d'au moins un echantillon 10 
biometrique choisi parmi dans un groupe d'echan- 
tillons biomytriques consistant en les elements 
suivants : I'empreinte vocale, la photographie, la si- 
gnature, I'empreinte digitale, la geometrie de la 
main, I'image retinienne et le balayage de I'iris. *s 



I'authentification automatique comprend de plus 
I'authentification automatique de I'utilisateur par 
une application residant au moins en partie dans le 
dispositif de lecture. 

24. Procede selon la revendication 22, dans lequel 
I'authentification automatique comprend de plus 
I'authentification automatique de I'utilisateur par 
une application residant au moins en partie dans un 
terminal associe au dispositif de lecture. 

25. Procede selon la revendication 1, dans lequel 
i'authentification automatique comprend de plus 
I'authentification automatique de I'utilisateur par 
une application associee a la carte a memoire. 



18. Procede selon la revendication 1, dans lequel 
i'authentification automatique comprend de plus la 
preselection de la probability voulue de la valeur 
d'occurrence. 20 

19. Procede selon la revendication 18, dans lequel la 
preselection de la probability voulue de la valeur 
d'occurrence comprend de plus la predefinition 
d'une probability voulue de valeur d'occurrence cor- 25 
respondant a la fausse acceptation d'un imposteur 

et le rejet par erreur d'un utilisateur valide. 

20. Procede selon la revendication 19, dans lequel la 
predefinition de la probability voulue de la valeur 30 
d'occurrence comprend de plus ia predefinition d'un 
ensemble destructions conduisant le dispositif de 
lecture a consulter le tableau stocky de probability 

de valeurs d'occurrence de score seuil de corres- 
pondence correspondant a la fausse acceptation 35 
d'un imposteur et au rejet par erreur d'un utilisateur 
valide et correspondant a la probability voulue de 
valeur d'occurrence. 

21. Procede selon la revendication 20, dans lequel *o 
I'authentification automatique comprend de plus la 
selection automatique de score seuil de correspon- 
dance correspondant a la fausse acceptation d'un 
imposteur et au rejet par erreur d'un utilisateur va- 
lide, ce qui fait que pour un taux voulu d'acceptation 45 
par erreur, une valeur de correspondance entre les 
informations biomytriques stockyes et I'echantillon 
biometrique atteint au moins un niveau predetermi- 

ny, et que pour un taux voulu de rejet par erreur, la 
valeur de correspondance se situe au-dessous d'un 50 
niveau predeterminy. 

22. Procedy selon la revendication 1, dans lequel 
I'authentification automatique comprend de plus 
I'authentification automatique de I'utilisateur par 55 
une application associ6e au dispositif de lecture. 

23. Procydy selon la revendication 22, dans lequel 



26. Procede selon la revendication 25, dans lequel 
I'authentification automatique comprend de plus 
I'authentification automatique de I'utilisateur par 
une application residant au moins en partie dans la 
carte a memoire. 

27. Systeme d'authentification d'un utilisateur de carte 
a memoire au niveau d'un dispositif de lecture, qui 
comprend : 

• un moyen de stockage de champs d'informa- 
tions relatifs a I'utilisateur sur la carte a memoi- 
re, les champs d'informations comprenant des 
informations biomytriques relatives a I'utilisa- 
teur et un tableau de probability predefinie de 
valeurs d'occurrence permettant I'authentifica- 
tion de I'utilisateur ; 

un moyen de presentation de la carte a mymoi- 
re et d'un echantillon biometrique relatif a I'uti- 
lisateur au dispositif de lecture ; et 

• un moyen d'authentification automatique de 
I'utilisateur, au moins en partie sur la base du 
niveau de correspondance entre les informa- 
tions biomytriques stockyes et I'echantillon bio- 
metrique prysenty, 

• un moyen de calcul d'un niveau de correspon- 
dance entre: 

(a) les informations biomytriques relatives 
a I'utilisateur et stockyes sur la carte a me- 
moire, et 

(b) I'ychantillon biometrique relatif a I'utili- 
sateur que Ton prysente au dispositif de 
lecture ; 

caractyrisy par 

le fait que (edit moyen de stockage des 
champs d'informations concernant le tableau 
de probability predefinie de valeurs d'occurren- 
ce permettant I'authentification de I'utilisateur 
assigne de plus automatiquement une proba- 
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bilite de valeur d'occurrence a chacun des sco- 
res seuils de correspondance pr6definis parmi 
une plurality d'entre eux ; 
un moyen de programmation du dispositif de 
lecture a I'aide : 5 

(a) d'une probability voulue de valeur d'oc- 
currence et 

(b) d'un ensemble destructions condui- 
sant le dispositif de lecture a consulter le 10 
tableau stocke sur la carte a me moire afin 
d'obtenir te score seuit de correspondance 
correspondant a la probability voulue de 
valeur d'occurrence ; 

15 

un moyen de comparaison du niveau calculi 
de correspondance au score seuil de corres- 
pondance que i'on obtient a partir du tableau 
stocke sur la carte a memoire ; et 
i'utitisateur etant authentifie si le niveau calcule 20 
de correspondance est superieur au score seuil 
de correspondance obtenu a partir du tableau 
stocke sur la carte a m6moire. 



dispositif de lecture. 

34. Systeme selon la revendication 33, dans lequel le 
dispositif de lecture est associe a un terminal. 

35. Systeme selon la revendication 34, dans lequel le 
terminal comprend de plus au moins i'un des ele- 
ments suivants : un terminal a acces local, un ter- 
minal de reseau informatique, un terminal a acces 
informatique, un terminal a valeur memorisee, un 
terminal a acces monetaire, un terminal PBX, un 
terminal eloigne, un ordinateur personnel, un ordi- 
nateur portatif, un assistant numerique personnel, 
un terminal Internet public, et un guichet automati- 
que bancaire. 

36. Systeme selon la revendication 27, dans lequel le 
moyen d'authentification automatique de I'utilisa- 
teur comprend de plus une application associee a 
la carte a memoire. 



28. Systeme selon la revendication 27, dans lequel le 25 
moyen de stockage des champs d'informations 
comprend de plus une application se trouvant dans 
la carte a memoire. 



29. Systeme selon la revendication 28, dans lequel Tap- 30 
plication se trouvant dans la carte a memoire com- 
prend de plus une application se trouvant dans un 
microprocesseur de la carte a memoire. 

30. Systeme selon la revendication 29, dans lequel le 35 
moyen de presentation de la carte a memoire et de 
I'echantilton biometrique comprennent de plus un 
dispositif de lecture associe a un terminal. 

31. Systeme selon la revendication 30, dans lequel le 40 
moyen de presentation de la carte a memoire et de 
P6chantillon biometrique comprend de plus une ap- 
plication associee au dispositif de lecture. 

32. Systeme selon la revendication 31, dans lequel le 45 
terminal comprend de plus au moins Tun des e!6- 
ments suivants : un terminal a acces local, un ter- 
minal de reseau informatique, un terminal a acces 
informatique, un terminal a valeur m6morisee, un 
terminal a acces monetaire, un terminal PBX, un so 
terminal eloigne, un ordinateur personnel, un ordi- 
nateur portatif, un assistant numerique personnel, 

un terminal Internet public, et un guichet automati- 
que bancaire. 

55 

33. Systeme selon la revendication 27, dans lequel le 
moyen d'authentification automatique de I'utilisa- 
teur comprend de plus une application associee au 
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Defective images within this document are accurate representations of the original 
documents submitted by the applicant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SIDES 
□ / FADED TEXT OR DRAWING 
LHiLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

OllNES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



